In June 2024, the European Union Agency for Fundamental Rights (“FRA”) published a report on the experiences, challenges and practices of data protection authorities (“DPAs”) when implementing the EU General Data Protection Regulation (“GDPR”) (the “Report”). The Report was requested by the European Commission ahead of their 2024 GDPR evaluation report, which was published on July 25, 2024.
The FRA Report highlights the challenges that DPAs face when implementing the GDPR, despite the increasing scale and complexity of their work. A majority of DPAs stated that they had inadequate resources to carry out their functions. The FRA concluded that the DPAs’ independence, supervisory function, advisory function and cooperation function are all directly or indirectly affected by the availability of human, financial and technical resources.
As detailed in the Report, individual complaints to DPAs have increased and take up a large proportion of their work. Due to having inadequate resources to meet the high demand, DPAs often found that they had to prioritize responding to complaints over their other functions and were not always able to provide independent oversight and contribute to the activities of the European Data Protection Board.
Additionally, DPAs have received new obligations under emerging digital regulations which have expanded their roles, such as new obligations under the Digital Services Act. The FRA’s research also revealed that DPAs feel unprepared when it comes to regulating new technologies such as AI. Some of the key issues highlighted were the lack of time to research new technologies and insufficient financial resources to hire specialists with technical expertise in emerging technologies, such as AI or blockchain.